VPC sharing allows multiple Alibaba Cloud accounts to create cloud resources, such as Elastic Compute Service (ECS), Server Load Balancer (SLB), and ApsaraDB RDS instances, in shared and centrally-managed virtual private clouds (VPCs). Shared VPCs are based on the resource sharing mechanism. A VPC owner can share vSwitches with other Alibaba Cloud accounts that belong to the same Alibaba Cloud enterprise account organization.
Features
A VPC owner (resource owner) can share non-default vSwitches with other Alibaba Cloud accounts (resource users). The resource owner and resource users must belong to the same resource directory. A resource directory allows you to create a hierarchical map of relations among resources and facilitates resource management. For more information, see Resource sharing overview.

Feature and supported regions
The following table lists the regions that support the VPC sharing feature.
Area | Supported region |
---|---|
Asia Pacific | China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Hangzhou), China (Shanghai), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Japan (Tokyo), Singapore (Singapore), Australia (Sydney), Malaysia (Kuala Lumpur), and Indonesia (Jakarta) |
Europe and Americas | US (Silicon Valley), US (Virginia), Germany (Frankfurt), and UK (London) |
Middle East and India | India (Mumbai) and UAE (Dubai) |
Area | Supported region |
---|---|
Asia Pacific | China (Beijing), China (Zhangjiakou), China (Hangzhou), China (Shanghai), and Singapore (Singapore) |
Permissions of the resource owner and resource users
After a resource owner shares a vSwitch with a resource user, the resource owner and user have the following permissions on the shared vSwitch and the resources in the shared vSwitch:
Role | Supported operation | Unsupported operation |
---|---|---|
Resource owner |
|
Modify or delete resources created by the resource user in the shared vSwitch. |
Resource user | If the vSwitch is shared, the resource user can create, modify, or delete cloud resources, such as ECS, SLB, and ApsaraDB RDS instances, in the shared vSwitch. | If the vSwitch is shared, the resource user cannot view, modify, or delete the resources created by other Alibaba Cloud accounts (resource owners and resource users) in the shared vSwitch. |
If the vSwitch is no longer shared, the resource user can view, use, modify, and delete the resources that are created by the resource user in the vSwitch. | If the vSwitch is no longer shared, the resource user cannot view the resources associated with the vSwitch, such as VPCs, route tables, and network ACLs. In addition, the resource user cannot create resources in the vSwitch. |
Network resource | Resource owner operation | Resource user operation |
---|---|---|
VPC | All operation permissions. | View the VPC to which the shared vSwitch belongs. |
vSwitches | All operation permissions.
Note If the resource owner wants to delete the vSwitch, the vSwitch must not be shared
with the resource user. In addition, the resources created by the resource owner and
resource user in the vSwitch must be deleted.
|
|
Route tables | All operation permissions. | View route tables and route entries that are associated with the shared vSwitch. |
Network ACLs | All operation permissions. | View network ACLs that are associated with the shared vSwitch. |
Private CIDR blocks | View private CIDR blocks of the VPC and all vSwitches that belong to the VPC. | View the private CIDR block of the shared vSwitch. |
Flow logs |
|
No operation permission. |
NAT gateways | All operation permissions.
Note
|
No operation permission. |
VPN gateways | All operation permissions.
Note The resources created by the resource owner and resource user in the vSwitch can communicate
with external networks through VPN gateways.
|
No operation permission. |
Cloud Enterprise Network (CEN) instances | All operation permissions.
Note The resources created by the resource owner and resource user in the vSwitch can communicate
with external networks through CEN instances.
|
No operation permission. |
VPC peering connections | All operation permissions.
Note The resources created by the resource owner and resource user in the vSwitch can communicate
with external networks through VPC peering connections.
|
No operation permission. |
Tags | Resource sharing does not affect the tags added to resources by the resource owner. When the vSwitch is shared, the resource owner and resource user can add tags to their own resources. The resource user cannot view the tags added by the resource owner and the resource owner cannot view the tags added by the resource user. The tags added by the resource owner and resource user do not affect each other. When the vSwitch is not shared, the system deletes the tags added by the resource user in the vSwitch. |
Billing rules
In a shared VPC, each resource user pays for his or her own instances such as ECS, SLB, and ApsaraDB RDS instances. However, fees of gateway resources such as NAT gateways, VPN gateways, and public bandwidth are paid by the resource owner.
Limits
Item | Limit | Adjustable |
---|---|---|
Number of resource users supported by each VPC | 20 | N/A |
Number of resource users supported by each vSwitch in a VPC | 20 | |
Number of vSwitches that can be shared with each resource user | 10 | |
Number of IP addresses that each VPC can use | Shared by the resource owner and resource users | |
Types of vSwitches that can be shared | Non-default vSwitches | |
Cloud resources that can be created in a shared vSwitch |
|
|
Limits on security groups in a shared VPC |
|
Enable VPC sharing
For more information, see Enable VPC sharing.